the infosec people at my work are rioting because the Distant Corporate Overlord sent an email that scores 10/10 on the phishing scale (“We want to give you a present to thank you for all your hard work!
-
the infosec people at my work are rioting because the Distant Corporate Overlord sent an email that scores 10/10 on the phishing scale (“We want to give you a present to thank you for all your hard work! [Click here] to claim your gift!”)
@0xabad1dea everyone got sent a digital gift card around christmas a couple of years ago. apparently they got thousands of reports (I'd guess about 1/4 of the business)
-
the infosec people at my work are rioting because the Distant Corporate Overlord sent an email that scores 10/10 on the phishing scale (“We want to give you a present to thank you for all your hard work! [Click here] to claim your gift!”)
@0xabad1dea I got a similar email... from IT. It was basically, "Congratulations! You've been selected as a trial user for our new authentication system. Please click here to go to a dodgy URL and fill in all your existing credentials." With no contact listed. And no information about it on the intranet.
It took some digging before I found someone in IT support that could verify that it wasn't a phish.
-
phishing training really doesn’t spend enough time on “how to structure your mass corporate communications in such a way that your employees won’t conclude that you communicate exactly like scammers and still expect a reply so they’d better assume scammy emails are legitimate”
@0xabad1dea I think about this so much at this time of year because I help run a car show and my job is to get everyone to register their cars and pay their entry fees. I've learned that most car enthusiasts are not very tech savvy.
We have a limited time to do this and I'm coordinating hundreds of people. Here I am sending them progressively urgent emails, text messages, and occasional phone calls reminding them to confirm something, update their information, and pay their fees.
My first thought: If someone sent me these messages, I'd delete them because they look like scams.
My second thought after almost everyone does exactly what I ask them to do: "Oh shit, I'm conditioning all of these people to fall for scams."
-
the infosec people at my work are rioting because the Distant Corporate Overlord sent an email that scores 10/10 on the phishing scale (“We want to give you a present to thank you for all your hard work! [Click here] to claim your gift!”)
@0xabad1dea
Here I go on a tangent about CEO gifts.A couple years ago, a now EX-CEO proudly announced his amazing Christmas bonus for everyone.
"It will be more personal than cash!"
Yay, a disappointing box of borrel snacks, we thought.
Somehow, our team's expectations weren't low enough. Cheap corporate merch; a hoodie, a travel coffee mug, and an umbrella. They really GET ME.
So yeah, I'll bet that phishy present will be garbage anyhow.
-
@0xabad1dea Microsoft put a big blue banner on all the broadcast-internal emails.
I was in a meeting of the D&I Council where someone said they'd sent an email about an event and was surprised I didn't know about it. I eventually found the email: it had the same blue banner.
That was when I learned that I had been trained to ignore any email that started with the blue banner. Asking around, I was not the only one. A lot of the internal communication problems had the root cause that there was so much pointless broadcast email that everyone ignored them and missed the important ones.
Someone did an internal thing for a hackathon as an Outlook plugin that would estimate the reading time for emails, interrogate the employee database to find the levels, multiply by the average salary for that level scaled to the reading time, and then give you an estimate of how much an email was costing the company if the recipients read it. It never shipped because management didn't like being reminded that they were burning tens of thousands of dollars with their emails.
@david_chisnall @0xabad1dea I just thought of a justifiable tweak to make the program output even angrier: instead of reporting time spent, report a guessestimated opportunity cost.
e.g. if a company has $10M revenue on $5M staffing costs then report aguesstimated opportunity cost as double each employee's salary.
-
the infosec people at my work are rioting because the Distant Corporate Overlord sent an email that scores 10/10 on the phishing scale (“We want to give you a present to thank you for all your hard work! [Click here] to claim your gift!”)
@0xabad1dea there was practically a riot at a previous employer because they announced that for business performance reasons there would be no Christmas bonuses, then a couple of days later sent out a business wide email "as a thank you for all your hard work this year we're giving you a Christmas present, click here to receive it". The Christmas present turned out to be mandatory phishing awareness training for anyone who clicked the link.
-
@0xabad1dea This heavily overlaps with a wider societal problem of legitimate customer service communication being largely indistinguishable from scams to most people - intentional confusion and constant change, huge amounts of information disclosure required to do anything without always knowing why (and hesitation can be penalized), and so on. Pretty much entirely by design, in an attempt to minimize anyone's desire to ever contact companies directly.
@lupinia @0xabad1dea And encouraging people to write their emails with an LLM to "sound professional" means that they end up reading like the emails that scammers write with an LLM to "sound professional".
-
@0xabad1dea there was practically a riot at a previous employer because they announced that for business performance reasons there would be no Christmas bonuses, then a couple of days later sent out a business wide email "as a thank you for all your hard work this year we're giving you a Christmas present, click here to receive it". The Christmas present turned out to be mandatory phishing awareness training for anyone who clicked the link.
@pmb00cs
I'm angry just reading this.
@0xabad1dea -
@0xabad1dea I got a similar email... from IT. It was basically, "Congratulations! You've been selected as a trial user for our new authentication system. Please click here to go to a dodgy URL and fill in all your existing credentials." With no contact listed. And no information about it on the intranet.
It took some digging before I found someone in IT support that could verify that it wasn't a phish.
@guigsy @0xabad1dea Even worse when it originates from a department that should know better.
-
@pmb00cs
I'm angry just reading this.
@0xabad1dea@xinit @0xabad1dea it did, eventually, illicit an apology from senior leadership for the "poor timing" of it all.
-
@0xabad1dea then there's ones from banks, government things, big brands etc.
@jwdt @0xabad1dea tertiary health care providers that you’ve never heard of but apparently the anesthesiologist doesn’t work for the hospital not bill through the hospital and in this modern day decides to email and text you to demand payment
-
phishing training really doesn’t spend enough time on “how to structure your mass corporate communications in such a way that your employees won’t conclude that you communicate exactly like scammers and still expect a reply so they’d better assume scammy emails are legitimate”
@0xabad1dea I've tried to get them to compile statistics on internal comms that were reported as Phishing so we could try hunt down the perps. Potentially creating a wall-of-shame for them.
Big nope (zero surprise).
-
@pmb00cs
I'm angry just reading this.
@0xabad1dea@xinit @0xabad1dea funnily enough it wasn't as bad as when they decided to save money by switching from Yorkshire Tea to Tetley Tea. That decision lasted about a month.
-
phishing training really doesn’t spend enough time on “how to structure your mass corporate communications in such a way that your employees won’t conclude that you communicate exactly like scammers and still expect a reply so they’d better assume scammy emails are legitimate”
@0xabad1dea During the summer before I started college, I got an email from (what appeared to be) a separate health care provider telling me to click the link and enter my social security number to register myself in their system. This was from an external email address, and I received no notice about it from the college, but after looking around it was actually legitimate.
-
the infosec people at my work are rioting because the Distant Corporate Overlord sent an email that scores 10/10 on the phishing scale (“We want to give you a present to thank you for all your hard work! [Click here] to claim your gift!”)
@0xabad1dea is your CEO a deposed Nigerian prime minister or something?
-
@guigsy @0xabad1dea Even worse when it originates from a department that should know better.
@TomDB @0xabad1dea yeah. I checked colleagues and nobody else had received the message. It looked very phishy. It said "you must do this within 7 days"... so I ignored it. Only to receive an identical message, giving me another 7 days. After a few weeks, I was motivated enough to stop the spam and make the effort to find out if it was legit. Extremely poor infosec practices from my IT department.
-
@0xabad1dea This heavily overlaps with a wider societal problem of legitimate customer service communication being largely indistinguishable from scams to most people - intentional confusion and constant change, huge amounts of information disclosure required to do anything without always knowing why (and hesitation can be penalized), and so on. Pretty much entirely by design, in an attempt to minimize anyone's desire to ever contact companies directly.
@lupinia @0xabad1dea When so much “legal, legitimate” business is basically a scam, how can anyone tell?
-
@0xabad1dea there was practically a riot at a previous employer because they announced that for business performance reasons there would be no Christmas bonuses, then a couple of days later sent out a business wide email "as a thank you for all your hard work this year we're giving you a Christmas present, click here to receive it". The Christmas present turned out to be mandatory phishing awareness training for anyone who clicked the link.
@pmb00cs @0xabad1dea Love your IT department for that little "fuck u" Mr CEO email
-
@s0 @0xabad1dea I had the same experience multiple years in a row.
Vague "click now to get started with your experience" button in an external email that wasn't white listed. Turned out to be cyber security training. -
the infosec people at my work are rioting because the Distant Corporate Overlord sent an email that scores 10/10 on the phishing scale (“We want to give you a present to thank you for all your hard work! [Click here] to claim your gift!”)
@0xabad1dea I mean, it must be a test, right? A free gift, from corpo? C'mon.
